Warning: Permanently added '10.128.1.162' (ED25519) to the list of known hosts. 1970/01/01 00:00:30 parsed 1 programs [ 31.875810][ T4679] cgroup: Unknown subsys name 'net' [ 32.025764][ T4679] cgroup: Unknown subsys name 'cpuset' [ 32.027871][ T4679] cgroup: Unknown subsys name 'rlimit' Setting up swapspace version 1, size = 127995904 bytes [ 32.224818][ T4679] Adding 124996k swap on ./swap-file. Priority:0 extents:1 across:124996k SS [ 35.037061][ T4687] soft_limit_in_bytes is deprecated and will be removed. Please report your usecase to linux-mm@kvack.org if you depend on this functionality. [ 35.573335][ T4708] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.573527][ T4708] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.573590][ T4708] bridge_slave_0: entered allmulticast mode [ 35.574077][ T4708] bridge_slave_0: entered promiscuous mode [ 35.577732][ T4708] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.577778][ T4708] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.577820][ T4708] bridge_slave_1: entered allmulticast mode [ 35.578242][ T4708] bridge_slave_1: entered promiscuous mode [ 35.585252][ T4708] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 35.586118][ T4708] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 35.592302][ T4708] team0: Port device team_slave_0 added [ 35.593016][ T4708] team0: Port device team_slave_1 added [ 35.599188][ T4708] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 35.599209][ T4708] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 35.599223][ T4708] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 35.599909][ T4708] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 35.599916][ T4708] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 35.599927][ T4708] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 35.610519][ T4708] hsr_slave_0: entered promiscuous mode [ 35.610834][ T4708] hsr_slave_1: entered promiscuous mode [ 35.656662][ T4708] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 35.659949][ T4708] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 35.660632][ T4708] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 35.662427][ T4708] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 35.662901][ T4708] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 35.665509][ T4708] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 35.665768][ T4708] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 35.667526][ T4708] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 35.677720][ T4708] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.677769][ T4708] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.677902][ T4708] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.677937][ T4708] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.693566][ T4708] 8021q: adding VLAN 0 to HW filter on device bond0 [ 35.697902][ T4708] 8021q: adding VLAN 0 to HW filter on device team0 [ 35.699372][ T1433] bridge0: port 1(bridge_slave_0) entered disabled state [ 35.700824][ T1433] bridge0: port 2(bridge_slave_1) entered disabled state [ 35.707106][ T1165] bridge0: port 1(bridge_slave_0) entered blocking state [ 35.707176][ T1165] bridge0: port 1(bridge_slave_0) entered forwarding state [ 35.708255][ T1165] bridge0: port 2(bridge_slave_1) entered blocking state [ 35.708279][ T1165] bridge0: port 2(bridge_slave_1) entered forwarding state [ 35.800815][ T4708] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 35.812415][ T4708] veth0_vlan: entered promiscuous mode [ 35.815871][ T4708] veth1_vlan: entered promiscuous mode [ 35.823898][ T4708] veth0_macvtap: entered promiscuous mode [ 35.826343][ T4708] veth1_macvtap: entered promiscuous mode [ 35.830974][ T4708] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 35.832435][ T4708] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 35.837472][ T849] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 35.839135][ T849] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 35.845570][ T849] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 35.847264][ T849] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 35.923025][ T849] netdevsim netdevsim0 netdevsim3 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 35.969005][ T849] netdevsim netdevsim0 netdevsim2 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 35.998473][ T849] netdevsim netdevsim0 netdevsim1 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 36.040666][ T849] netdevsim netdevsim0 netdevsim0 (unregistering): unset [1, 0] type 2 family 0 port 6081 - 0 [ 36.142905][ T4757] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 36.143709][ T4757] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 36.143881][ T4757] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 36.144215][ T4757] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 36.144774][ T4757] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 36.244478][ T1165] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 36.246303][ T1165] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 36.254839][ T1165] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 36.256273][ T1165] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 1970/01/01 00:00:36 executed programs: 0 [ 36.648816][ T4757] Bluetooth: hci0: unexpected cc 0x0c03 length: 249 > 1 [ 36.649748][ T4757] Bluetooth: hci0: unexpected cc 0x1003 length: 249 > 9 [ 36.650088][ T4757] Bluetooth: hci0: unexpected cc 0x1001 length: 249 > 9 [ 36.650409][ T4757] Bluetooth: hci0: unexpected cc 0x0c23 length: 249 > 4 [ 36.650645][ T4757] Bluetooth: hci0: unexpected cc 0x0c38 length: 249 > 2 [ 36.781039][ T4780] bridge0: port 1(bridge_slave_0) entered blocking state [ 36.781154][ T4780] bridge0: port 1(bridge_slave_0) entered disabled state [ 36.781222][ T4780] bridge_slave_0: entered allmulticast mode [ 36.781699][ T4780] bridge_slave_0: entered promiscuous mode [ 36.782497][ T4780] bridge0: port 2(bridge_slave_1) entered blocking state [ 36.782547][ T4780] bridge0: port 2(bridge_slave_1) entered disabled state [ 36.782632][ T4780] bridge_slave_1: entered allmulticast mode [ 36.783041][ T4780] bridge_slave_1: entered promiscuous mode [ 36.791310][ T4780] bond0: (slave bond_slave_0): Enslaving as an active interface with an up link [ 36.792212][ T4780] bond0: (slave bond_slave_1): Enslaving as an active interface with an up link [ 36.798952][ T4780] team0: Port device team_slave_0 added [ 36.799767][ T4780] team0: Port device team_slave_1 added [ 36.806627][ T4780] batman_adv: batadv0: Adding interface: batadv_slave_0 [ 36.806651][ T4780] batman_adv: batadv0: The MTU of interface batadv_slave_0 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 36.806663][ T4780] batman_adv: batadv0: Not using interface batadv_slave_0 (retrying later): interface not active [ 36.807201][ T4780] batman_adv: batadv0: Adding interface: batadv_slave_1 [ 36.807208][ T4780] batman_adv: batadv0: The MTU of interface batadv_slave_1 is too small (1500) to handle the transport of batman-adv packets. Packets going over this interface will be fragmented on layer2 which could impact the performance. Setting the MTU to 1532 would solve the problem. [ 36.807218][ T4780] batman_adv: batadv0: Not using interface batadv_slave_1 (retrying later): interface not active [ 36.817338][ T4780] hsr_slave_0: entered promiscuous mode [ 36.817650][ T4780] hsr_slave_1: entered promiscuous mode [ 36.817866][ T4780] debugfs: 'hsr0' already exists in 'hsr' [ 36.817913][ T4780] Cannot create hsr debugfs directory [ 38.714518][ T4757] Bluetooth: hci0: command tx timeout [ 39.634393][ T849] bridge_slave_1: left allmulticast mode [ 39.634442][ T849] bridge_slave_1: left promiscuous mode [ 39.634919][ T849] bridge0: port 2(bridge_slave_1) entered disabled state [ 39.637124][ T849] bridge_slave_0: left allmulticast mode [ 39.637136][ T849] bridge_slave_0: left promiscuous mode [ 39.637199][ T849] bridge0: port 1(bridge_slave_0) entered disabled state [ 39.738131][ T849] bond0 (unregistering): (slave bond_slave_0): Releasing backup interface [ 39.775731][ T849] bond0 (unregistering): (slave bond_slave_1): Releasing backup interface [ 39.815167][ T849] bond0 (unregistering): Released all slaves [ 39.858738][ T849] hsr_slave_0: left promiscuous mode [ 39.861701][ T849] hsr_slave_1: left promiscuous mode [ 39.862078][ T849] batman_adv: batadv0: Interface deactivated: batadv_slave_0 [ 39.862093][ T849] batman_adv: batadv0: Removing interface: batadv_slave_0 [ 39.864897][ T849] batman_adv: batadv0: Interface deactivated: batadv_slave_1 [ 39.864908][ T849] batman_adv: batadv0: Removing interface: batadv_slave_1 [ 39.869252][ T849] veth1_macvtap: left promiscuous mode [ 39.869300][ T849] veth0_macvtap: left promiscuous mode [ 39.869341][ T849] veth1_vlan: left promiscuous mode [ 39.869374][ T849] veth0_vlan: left promiscuous mode [ 39.974237][ T849] team0 (unregistering): Port device team_slave_1 removed [ 39.981156][ T849] team0 (unregistering): Port device team_slave_0 removed [ 40.029455][ T4357] 8021q: adding VLAN 0 to HW filter on device eth0 [ 40.181794][ T4780] netdevsim netdevsim0 netdevsim0: renamed from eth0 [ 40.187554][ T4780] 8021q: adding VLAN 0 to HW filter on device netdevsim0 [ 40.189397][ T4780] netdevsim netdevsim0 netdevsim1: renamed from eth1 [ 40.191790][ T4780] 8021q: adding VLAN 0 to HW filter on device netdevsim1 [ 40.193486][ T4780] netdevsim netdevsim0 netdevsim2: renamed from eth2 [ 40.195974][ T4780] 8021q: adding VLAN 0 to HW filter on device netdevsim2 [ 40.197805][ T4780] netdevsim netdevsim0 netdevsim3: renamed from eth3 [ 40.200055][ T4780] 8021q: adding VLAN 0 to HW filter on device netdevsim3 [ 40.231245][ T4780] 8021q: adding VLAN 0 to HW filter on device bond0 [ 40.239720][ T4780] 8021q: adding VLAN 0 to HW filter on device team0 [ 40.241997][ T1308] bridge0: port 1(bridge_slave_0) entered blocking state [ 40.242043][ T1308] bridge0: port 1(bridge_slave_0) entered forwarding state [ 40.245906][ T1308] bridge0: port 2(bridge_slave_1) entered blocking state [ 40.245946][ T1308] bridge0: port 2(bridge_slave_1) entered forwarding state [ 40.483554][ T4780] 8021q: adding VLAN 0 to HW filter on device batadv0 [ 40.497966][ T4780] veth0_vlan: entered promiscuous mode [ 40.499567][ T4780] veth1_vlan: entered promiscuous mode [ 40.513358][ T4780] veth0_macvtap: entered promiscuous mode [ 40.516393][ T4780] veth1_macvtap: entered promiscuous mode [ 40.520202][ T4780] batman_adv: batadv0: Interface activated: batadv_slave_0 [ 40.521158][ T4780] batman_adv: batadv0: Interface activated: batadv_slave_1 [ 40.523605][ T1165] netdevsim netdevsim0 netdevsim0: set [1, 0] type 2 family 0 port 6081 - 0 [ 40.523758][ T1165] netdevsim netdevsim0 netdevsim1: set [1, 0] type 2 family 0 port 6081 - 0 [ 40.523775][ T1165] netdevsim netdevsim0 netdevsim2: set [1, 0] type 2 family 0 port 6081 - 0 [ 40.523790][ T1165] netdevsim netdevsim0 netdevsim3: set [1, 0] type 2 family 0 port 6081 - 0 [ 40.612701][ T40] wlan0: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 40.612736][ T40] wlan0: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ 40.620850][ T40] wlan1: Created IBSS using preconfigured BSSID 50:50:50:50:50:50 [ 40.622379][ T40] wlan1: Creating new IBSS network, BSSID 50:50:50:50:50:50 [ ** replaying previous printk message ** [ 40.698832][ T4864] ================================================================== [ 40.698846][ T4864] BUG: KASAN: slab-use-after-free in dvb_device_open+0xd0/0x250 [ 40.698863][ T4864] Read of size 8 at addr ffff0000cc530c18 by task syz.0.19/4864 [ 40.698870][ T4864] [ 40.698874][ T4864] CPU: 1 UID: 0 PID: 4864 Comm: syz.0.19 Not tainted syzkaller #0 PREEMPT [ 40.698883][ T4864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 40.698887][ T4864] Call trace: [ 40.698889][ T4864] show_stack+0x2c/0x3c (C) [ 40.698901][ T4864] __dump_stack+0x30/0x40 [ 40.698909][ T4864] dump_stack_lvl+0xd8/0x12c [ 40.698918][ T4864] print_address_description+0xb0/0x238 [ 40.698928][ T4864] print_report+0x68/0x84 [ 40.698937][ T4864] kasan_report+0x8c/0xc4 [ 40.698945][ T4864] __asan_report_load8_noabort+0x20/0x2c [ 40.698953][ T4864] dvb_device_open+0xd0/0x250 [ 40.698963][ T4864] chrdev_open+0x398/0x3e8 [ 40.698970][ T4864] do_dentry_open+0x5c8/0x10dc [ 40.698978][ T4864] vfs_open+0x44/0x2d4 [ 40.698986][ T4864] path_openat+0x2234/0x2a6c [ 40.698993][ T4864] do_file_open+0x1c4/0x2e4 [ 40.698999][ T4864] do_sys_openat2+0x114/0x1e8 [ 40.699007][ T4864] do_sys_open+0xac/0xdc [ 40.699015][ T4864] __arm64_sys_openat+0x9c/0xb8 [ 40.699023][ T4864] invoke_syscall+0x98/0x244 [ 40.699032][ T4864] el0_svc_common+0xe8/0x23c [ 40.699040][ T4864] do_el0_svc+0x48/0x58 [ 40.699049][ T4864] el0_svc+0x60/0x25c [ 40.699058][ T4864] el0t_64_sync_handler+0x48/0x148 [ 40.699066][ T4864] el0t_64_sync+0x198/0x19c [ 40.699074][ T4864] [ 40.699076][ T4864] Allocated by task 1: [ 40.699080][ T4864] kasan_save_track+0x40/0x78 [ 40.699089][ T4864] kasan_save_alloc_info+0x44/0x54 [ 40.699096][ T4864] __kasan_kmalloc+0x9c/0xb4 [ 40.699101][ T4864] __kmalloc_cache_noprof+0x284/0x56c [ 40.699109][ T4864] dvb_register_device+0x1ac/0x16ec [ 40.699117][ T4864] dvb_register_frontend+0x464/0x698 [ 40.699124][ T4864] vidtv_bridge_probe+0x57c/0xa24 [ 40.699132][ T4864] platform_probe+0xfc/0x198 [ 40.699139][ T4864] really_probe+0x2a8/0x7e8 [ 40.699147][ T4864] __driver_probe_device+0x1e0/0x33c [ 40.699155][ T4864] driver_probe_device+0x6c/0x19c [ 40.699163][ T4864] __driver_attach+0x164/0x374 [ 40.699171][ T4864] bus_for_each_dev+0x128/0x1b4 [ 40.699178][ T4864] driver_attach+0x4c/0x5c [ 40.699189][ T4864] bus_add_driver+0x208/0x4fc [ 40.699197][ T4864] driver_register+0x220/0x30c [ 40.699202][ T4864] __platform_driver_register+0x6c/0x80 [ 40.699208][ T4864] vidtv_bridge_init+0x34/0x5c [ 40.699218][ T4864] do_one_initcall+0x274/0xc20 [ 40.699225][ T4864] do_initcall_level+0x128/0x1c4 [ 40.699233][ T4864] do_initcalls+0x70/0xd0 [ 40.699239][ T4864] do_basic_setup+0x7c/0x90 [ 40.699245][ T4864] kernel_init_freeable+0x268/0x3a8 [ 40.699252][ T4864] kernel_init+0x24/0x1dc [ 40.699260][ T4864] ret_from_fork+0x10/0x20 [ 40.699268][ T4864] [ 40.699269][ T4864] Freed by task 4862: [ 40.699272][ T4864] kasan_save_track+0x40/0x78 [ 40.699281][ T4864] kasan_save_free_info+0x58/0x70 [ 40.699287][ T4864] __kasan_slab_free+0x74/0xa4 [ 40.699292][ T4864] kfree+0x188/0x5e4 [ 40.699299][ T4864] dvb_device_put+0x64/0xd0 [ 40.699307][ T4864] dvb_device_open+0x238/0x250 [ 40.699315][ T4864] chrdev_open+0x398/0x3e8 [ 40.699321][ T4864] do_dentry_open+0x5c8/0x10dc [ 40.699327][ T4864] vfs_open+0x44/0x2d4 [ 40.699333][ T4864] path_openat+0x2234/0x2a6c [ 40.699338][ T4864] do_file_open+0x1c4/0x2e4 [ 40.699344][ T4864] do_sys_openat2+0x114/0x1e8 [ 40.699350][ T4864] do_sys_open+0xac/0xdc [ 40.699356][ T4864] __arm64_sys_openat+0x9c/0xb8 [ 40.699363][ T4864] invoke_syscall+0x98/0x244 [ 40.699370][ T4864] el0_svc_common+0xe8/0x23c [ 40.699377][ T4864] do_el0_svc+0x48/0x58 [ 40.699384][ T4864] el0_svc+0x60/0x25c [ 40.699391][ T4864] el0t_64_sync_handler+0x48/0x148 [ 40.699398][ T4864] el0t_64_sync+0x198/0x19c [ 40.699403][ T4864] [ 40.699404][ T4864] The buggy address belongs to the object at ffff0000cc530c00 [ 40.699404][ T4864] which belongs to the cache kmalloc-256 of size 256 [ 40.699410][ T4864] The buggy address is located 24 bytes inside of [ 40.699410][ T4864] freed 256-byte region [ffff0000cc530c00, ffff0000cc530d00) [ 40.699417][ T4864] [ 40.699419][ T4864] The buggy address belongs to the physical page: [ 40.699423][ T4864] page: refcount:0 mapcount:0 mapping:0000000000000000 index:0x0 pfn:0x10c530 [ 40.699429][ T4864] head: order:1 mapcount:0 entire_mapcount:0 nr_pages_mapped:0 pincount:0 [ 40.699435][ T4864] flags: 0x5ffc00000000040(head|node=0|zone=2|lastcpupid=0x7ff) [ 40.699442][ T4864] page_type: f5(slab) [ 40.699448][ T4864] raw: 05ffc00000000040 ffff0000c0001b40 dead000000000100 dead000000000122 [ 40.699454][ T4864] raw: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 40.699459][ T4864] head: 05ffc00000000040 ffff0000c0001b40 dead000000000100 dead000000000122 [ 40.699464][ T4864] head: 0000000000000000 0000000800100010 00000000f5000000 0000000000000000 [ 40.699470][ T4864] head: 05ffc00000000001 fffffdffc3314c01 00000000ffffffff 00000000ffffffff [ 40.699475][ T4864] head: ffffffffffffffff 0000000000000000 00000000ffffffff 0000000000000002 [ 40.699478][ T4864] page dumped because: kasan: bad access detected [ 40.699481][ T4864] [ 40.699482][ T4864] Memory state around the buggy address: [ 40.699486][ T4864] ffff0000cc530b00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.699490][ T4864] ffff0000cc530b80: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.699494][ T4864] >ffff0000cc530c00: fa fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.699497][ T4864] ^ [ 40.699501][ T4864] ffff0000cc530c80: fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb fb [ 40.699505][ T4864] ffff0000cc530d00: fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc fc [ 40.699508][ T4864] ================================================================== [ 40.699525][ T4864] Disabling lock debugging due to kernel taint [ 40.699534][ T4864] ------------[ cut here ]------------ [ 40.699545][ T4864] refcount_t: addition on 0; use-after-free. [ 40.699654][ T4864] WARNING: lib/refcount.c:25 at refcount_warn_saturate+0x134/0x1f8, CPU#1: syz.0.19/4864 [ 40.808337][ T4864] Modules linked in: [ 40.809123][ T4864] CPU: 1 UID: 0 PID: 4864 Comm: syz.0.19 Tainted: G B syzkaller #0 PREEMPT [ 40.811022][ T4864] Tainted: [B]=BAD_PAGE [ 40.811830][ T4864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 40.813726][ T4864] pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 40.815206][ T4864] pc : refcount_warn_saturate+0x134/0x1f8 [ 40.816269][ T4864] lr : refcount_warn_saturate+0x134/0x1f8 [ 40.817344][ T4864] sp : ffff8000944c7540 [ 40.818086][ T4864] x29: ffff8000944c7540 x28: ffff0000d71efc48 x27: dfff800000000000 [ 40.819555][ T4864] x26: ffff700012898ebc x25: dfff800000000000 x24: ffff80008725c908 [ 40.821048][ T4864] x23: ffff0000d71efc48 x22: ffff0000cbb55800 x21: 0000000000000000 [ 40.822594][ T4864] x20: ffff0000cc530c10 x19: ffff800089f06000 x18: 0000000000000000 [ 40.824095][ T4864] x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d [ 40.825521][ T4864] x14: 3d3d3d3d3d3d3d3d x13: 0000000000000001 x12: 0000000000000000 [ 40.826999][ T4864] x11: 00000000000007ba x10: 0000000000ff0100 x9 : edf704ff7a94d500 [ 40.828459][ T4864] x8 : edf704ff7a94d500 x7 : 0000000000000000 x6 : ffff8000804886d0 [ 40.830024][ T4864] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0 [ 40.831412][ T4864] x2 : 0000000100000000 x1 : ffff0000cd939d00 x0 : 0000000000000000 [ 40.832824][ T4864] Call trace: [ 40.833430][ T4864] refcount_warn_saturate+0x134/0x1f8 (P) [ 40.834455][ T4864] dvb_device_get+0x9c/0xbc [ 40.835244][ T4864] dvb_device_open+0x100/0x250 [ 40.836102][ T4864] chrdev_open+0x398/0x3e8 [ 40.836874][ T4864] do_dentry_open+0x5c8/0x10dc [ 40.837700][ T4864] vfs_open+0x44/0x2d4 [ 40.838462][ T4864] path_openat+0x2234/0x2a6c [ 40.839340][ T4864] do_file_open+0x1c4/0x2e4 [ 40.840160][ T4864] do_sys_openat2+0x114/0x1e8 [ 40.841029][ T4864] do_sys_open+0xac/0xdc [ 40.841823][ T4864] __arm64_sys_openat+0x9c/0xb8 [ 40.842722][ T4864] invoke_syscall+0x98/0x244 [ 40.843561][ T4864] el0_svc_common+0xe8/0x23c [ 40.844399][ T4864] do_el0_svc+0x48/0x58 [ 40.845153][ T4864] el0_svc+0x60/0x25c [ 40.845932][ T4864] el0t_64_sync_handler+0x48/0x148 [ 40.846906][ T4864] el0t_64_sync+0x198/0x19c [ 40.847759][ T4864] irq event stamp: 3531 [ 40.848534][ T4864] hardirqs last enabled at (3531): [] arm64_exit_to_kernel_mode+0x7c/0x90 [ 40.850514][ T4864] hardirqs last disabled at (3530): [] el1_interrupt+0x28/0x60 [ 40.852248][ T4864] softirqs last enabled at (3500): [] local_bh_enable+0x10/0x34 [ 40.853996][ T4864] softirqs last disabled at (3498): [] local_bh_disable+0x10/0x34 [ 40.855592][ T4864] ---[ end trace 0000000000000000 ]--- [ 40.857046][ T4757] Bluetooth: hci0: command tx timeout [ 40.8 ** replaying previous printk message ** [ 40.863814][ T4864] ------------[ cut here ]------------ [ 40.863838][ T4864] refcount_t: underflow; use-after-free. [ 40.863954][ T4864] WARNING: lib/refcount.c:28 at refcount_warn_saturate+0x154/0x1f8, CPU#1: syz.0.19/4864 [ 40.868558][ T4864] Modules linked in: [ 40.869265][ T4864] CPU: 1 UID: 0 PID: 4864 Comm: syz.0.19 Tainted: G B W syzkaller #0 PREEMPT [ 40.871275][ T4864] Tainted: [B]=BAD_PAGE, [W]=WARN [ 40.872239][ T4864] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 40.874167][ T4864] pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 40.875600][ T4864] pc : refcount_warn_saturate+0x154/0x1f8 [ 40.876666][ T4864] lr : refcount_warn_saturate+0x154/0x1f8 [ 40.877748][ T4864] sp : ffff8000944c7420 [ 40.878493][ T4864] x29: ffff8000944c7420 x28: ffff0000cbaf8060 x27: 00000000fffffffc [ 40.880040][ T4864] x26: ffff0000cc530c3c x25: ffff0000cbaf8010 x24: ffff0000d71efc00 [ 40.881659][ T4864] x23: ffff0000cbdb6308 x22: 1fffe000198a6187 x21: 00000000c0000000 [ 40.883172][ T4864] x20: ffff0000cc530c10 x19: ffff800089f06000 x18: 0000000000000000 [ 40.884596][ T4864] x17: 3d3d3d3d3d3d3d3d x16: 3d3d3d3d3d3d3d3d x15: 3d3d3d3d3d3d3d3d [ 40.886126][ T4864] x14: 3d3d3d3d3d3d3d3d x13: 0000000000000001 x12: 0000000000000000 [ 40.887558][ T4864] x11: 0000000000000808 x10: 0000000000ff0100 x9 : edf704ff7a94d500 [ 40.889083][ T4864] x8 : edf704ff7a94d500 x7 : 0000000000000000 x6 : ffff8000804886d0 [ 40.890596][ T4864] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0 [ 40.892165][ T4864] x2 : 0000000100000000 x1 : ffff0000cd939d00 x0 : 0000000000000000 [ 40.893701][ T4864] Call trace: [ 40.894308][ T4864] refcount_warn_saturate+0x154/0x1f8 (P) [ 40.895319][ T4864] dvb_device_put+0xac/0xd0 [ 40.896129][ T4864] dvb_generic_release+0xec/0x154 [ 40.897031][ T4864] dvb_frontend_open+0x9b8/0x105c [ 40.897957][ T4864] dvb_device_open+0x1f4/0x250 [ 40.898847][ T4864] chrdev_open+0x398/0x3e8 [ 40.899662][ T4864] do_dentry_open+0x5c8/0x10dc [ 40.900491][ T4864] vfs_open+0x44/0x2d4 [ 40.901165][ T4864] path_openat+0x2234/0x2a6c [ 40.901931][ T4864] do_file_open+0x1c4/0x2e4 [ 40.902731][ T4864] do_sys_openat2+0x114/0x1e8 [ 40.903651][ T4864] do_sys_open+0xac/0xdc [ 40.904415][ T4864] __arm64_sys_openat+0x9c/0xb8 [ 40.905267][ T4864] invoke_syscall+0x98/0x244 [ 40.906077][ T4864] el0_svc_common+0xe8/0x23c [ 40.906947][ T4864] do_el0_svc+0x48/0x58 [ 40.907698][ T4864] el0_svc+0x60/0x25c [ 40.908436][ T4864] el0t_64_sync_handler+0x48/0x148 [ 40.909351][ T4864] el0t_64_sync+0x198/0x19c [ 40.910189][ T4864] irq event stamp: 3531 [ 40.910919][ T4864] hardirqs last enabled at (3531): [] arm64_exit_to_kernel_mode+0x7c/0x90 [ 40.912807][ T4864] hardirqs last disabled at (3530): [] el1_interrupt+0x28/0x60 [ 40.914453][ T4864] softirqs last enabled at (3500): [] local_bh_enable+0x10/0x34 [ 40.916182][ T4864] softirqs last disabled at (3498): [] local_bh_disable+0x10/0x34 [ 40.917876][ T4864] ---[ end trace 0000000000000000 ]--- [ 40. ** replaying previous printk message ** [ 40.929051][ T4866] ------------[ cut here ]------------ [ 40.929070][ T4866] refcount_t: saturated; leaking memory. [ 40.929188][ T4866] WARNING: lib/refcount.c:22 at refcount_warn_saturate+0x1b4/0x1f8, CPU#1: syz.0.20/4866 [ 40.933435][ T4866] Modules linked in: [ 40.934104][ T4866] CPU: 1 UID: 0 PID: 4866 Comm: syz.0.20 Tainted: G B W syzkaller #0 PREEMPT [ 40.936031][ T4866] Tainted: [B]=BAD_PAGE, [W]=WARN [ 40.936984][ T4866] Hardware name: Google Google Compute Engine/Google Compute Engine, BIOS Google 03/18/2026 [ 40.938874][ T4866] pstate: 63400005 (nZCv daif +PAN -UAO +TCO +DIT -SSBS BTYPE=--) [ 40.940366][ T4866] pc : refcount_warn_saturate+0x1b4/0x1f8 [ 40.941434][ T4866] lr : refcount_warn_saturate+0x1b4/0x1f8 [ 40.942509][ T4866] sp : ffff8000944c7540 [ 40.943265][ T4866] x29: ffff8000944c7540 x28: ffff0000d7a0b8c8 x27: dfff800000000000 [ 40.944653][ T4866] x26: ffff700012898ebc x25: dfff800000000000 x24: ffff80008725c908 [ 40.946105][ T4866] x23: ffff0000d7a0b8c8 x22: 000000007ffffffe x21: 00000000c0000000 [ 40.947645][ T4866] x20: ffff0000cc530c10 x19: ffff800089f06000 x18: 0000000000000000 [ 40.949132][ T4866] x17: 0000000000000000 x16: 0000000000000000 x15: 0000000000000000 [ 40.950680][ T4866] x14: 00000000ffff8000 x13: 0000000000000001 x12: 0000000000000000 [ 40.952213][ T4866] x11: 0000000000000857 x10: 0000000000ff0100 x9 : 0c4b45b88f76bd00 [ 40.953748][ T4866] x8 : 0c4b45b88f76bd00 x7 : 0000000000000000 x6 : ffff8000804886d0 [ 40.955196][ T4866] x5 : 0000000000000000 x4 : 0000000000000000 x3 : ffff8000802f13b0 [ 40.956642][ T4866] x2 : 0000000100000000 x1 : ffff0000d3f7ba00 x0 : 0000000000000000 [ 40.958074][ T4866] Call trace: [ 40.958649][ T4866] refcount_warn_saturate+0x1b4/0x1f8 (P) [ 40.959689][ T4866] dvb_device_get+0x9c/0xbc [ 40.960488][ T4866] dvb_device_open+0x100/0x250 [ 40.961311][ T4866] chrdev_open+0x398/0x3e8 [ 40.962172][ T4866] do_dentry_open+0x5c8/0x10dc [ 40.963047][ T4866] vfs_open+0x44/0x2d4 [ 40.963807][ T4866] path_openat+0x2234/0x2a6c [ 40.964662][ T4866] do_file_open+0x1c4/0x2e4 [ 40.965477][ T4866] do_sys_openat2+0x114/0x1e8 [ 40.966345][ T4866] do_sys_open+0xac/0xdc [ 40.967086][ T4866] __arm64_sys_openat+0x9c/0xb8 [ 40.967924][ T4866] invoke_syscall+0x98/0x244 [ 40.968828][ T4866] el0_svc_common+0xe8/0x23c [ 40.969681][ T4866] do_el0_svc+0x48/0x58 [ 40.970470][ T4866] el0_svc+0x60/0x25c [ 40.971216][ T4866] el0t_64_sync_handler+0x48/0x148 [ 40.972219][ T4866] el0t_64_sync+0x198/0x19c [ 40.973071][ T4866] irq event stamp: 0 [ 40.973803][ T4866] hardirqs last enabled at (0): [<0000000000000000>] 0x0 [ 40.975044][ T4866] hardirqs last disabled at (0): [] copy_process+0x1358/0x3344 [ 40.976611][ T4866] softirqs last enabled at (0): [] copy_process+0x1380/0x3344 [ 40.978195][ T4866] softirqs last disabled at (0): [<0000000000000000>] 0x0 [ 40.979425][ T4866] ---[ end trace 0000000000000000 ]--- 1970/01/01 00:00:41 executed programs: 42 [ 42.874349][ T4757] Bluetooth: hci0: command tx timeout [ 44.954284][ T4757] Bluetooth: hci0: command tx timeout 1970/01/01 00:00:46 executed programs: 327